DIVD-2025-00022 - SolarEdge SE3680H and SolarEdge Monitoring Platform vulnerabilities

Our reference DIVD-2025-00022
Case lead Victor Pasman
Researcher(s)
  • Hamid Rahmouni
  • Alexandros Tokatlis
  • Akram Hamdi
CVE(s)
Patch status Available
Workaround N/A
Status Open
Last modified 05 Feb 2026 19:54 CET

Summary

We reviewed four publicly disclosed vulnerabilities affecting SolarEdge products: three issues in the SolarEdge SE3680H device line (firmware versions >= 4.0 and < 4.22) and one issue in the SolarEdge Monitoring Platform (SaaS). The SE3680H issues are physical-access oriented and include: an exposed debug/test interface, sensitive information exposure via bootloader diagnostics, and exposure to risk from an outdated Linux kernel with unpatched vulnerabilities.

The Monitoring Platform issue is a network-reachable cross-site scripting (XSS) vulnerability that can be triggered by an authenticated user via a crafted report name during a deletion attempt.

Affected products

Vulnerability details

CVE-2025-36743 — Exposed debug/test interface (SE3680H)

An exposed debug/test interface is accessible to unauthenticated actors with physical access, enabling disclosure of system internals and execution of debug commands.

CVE-2025-36744 — Bootloader-loop diagnostic information exposure (SE3680H)

During a bootloader loop, the device emits diagnostic output that may leak operating system information to an unauthenticated actor with physical access.

CVE-2025-36745 — Outdated Linux kernel / unmaintained components (SE3680H)

The device ships with an outdated Linux kernel containing unpatched vulnerabilities. The advisory notes exploitation may enable outcomes such as code execution, privilege escalation, or sensitive information disclosure (depending on the underlying kernel flaws).

CVE-2025-36746 — XSS on report deletion flow (SolarEdge Monitoring Platform)

An authenticated user can inject payloads into report names; the payload may execute in another user’s browser during a deletion attempt.

What you can do

We strongly advises impacted organisations to immediately apply Security Patches.

Timeline

Date Description
18 Jun 2025 Started disclosure process with supplier.
21 Sep 2025 Resolved feedback from supplier and shared additional information with Supplier
04 Dec 2025 Agreed on disclosure time.
18 Dec 2025 CVE records have been published.
gantt title DIVD-2025-00022 - SolarEdge SE3680H and SolarEdge Monitoring Platform vulnerabilities dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00022 - SolarEdge SE3680H and SolarEdge Monitoring Platform vulnerabilities (still open) :2025-06-18, 2026-02-13 section Events Started disclosure process with supplier. : milestone, 2025-06-18, 0d Resolved feedback from supplier and shared additional information with Supplier : milestone, 2025-09-21, 0d Agreed on disclosure time. : milestone, 2025-12-04, 0d CVE records have been published. : milestone, 2025-12-18, 0d

More Information